“Secure” Sites Are Actually Less Secure

The so-called trust marks are sold by almost a dozen companies, including Symantec, McAfee, Trust-Guard, and Qualys. In exchange for fees ranging from less than $100 to well over $2,000 per year, the services provide periodic security scans of the site. If it passes, it receives the Internet equivalent of a Good Housekeeping Seal of approval that’s prominently displayed on the homepage.

A recently published academic paper discovered an almost universal lack of thoroughness among the 10 seal providers studied. For one thing, the scientists carried out two experiments showing that the scanners failed to detect a host of serious vulnerabilities. In one of the experiments, even the best-performing service missed more than half of the vulnerabilities known to afflict a site. In another, they uncovered flaws in certified sites that would take a typical criminal hacker less than one day to maliciously discover.

That’s not all. The seal itself can make the site more vulnerable.

Most strikingly, the researchers developed attacks that are enabled by a site’s use of security seals, a shortcoming that ironically makes sites that use some seals more vulnerable than if they didn’t use the service.

So not only should you ignore security seals, but you might want to hesitate before doing business with websites that use them.

Sam is the founder and Editor in Chief of Lawyerist.com, the best place for lawyers to learn how to start, manage, and grow a law practice, and home to the community of innovative lawyers building the future of law.